MariaDB Open source fork of MySQL database
Products by MariaDB Sorted by Most Security Vulnerabilities since 2018
@mariadb Tweets

Sun Mar 26 15:53:00 +0000 2023

Sat Mar 25 17:47:00 +0000 2023

Sat Mar 25 15:24:00 +0000 2023

Fri Mar 24 22:55:00 +0000 2023

Fri Mar 24 21:41:00 +0000 2023
By the Year
In 2023 there have been 1 vulnerability in MariaDB with an average score of 6.5 out of ten. Last year MariaDB had 60 security vulnerabilities published. Right now, MariaDB is on track to have less security vulnerabilities in 2023 than it did last year. Last year, the average CVE base score was greater by 0.34
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 1 | 6.50 |
2022 | 60 | 6.84 |
2021 | 15 | 5.43 |
2020 | 16 | 5.82 |
2019 | 16 | 5.48 |
2018 | 40 | 5.58 |
It may take a day or so for new MariaDB vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent MariaDB Security Vulnerabilities
MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service
CVE-2022-47015
6.5 - Medium
- January 20, 2023
MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.
NULL Pointer Dereference
Vulnerability in the MySQL Server product of Oracle MySQL (component: C API)
CVE-2022-21595
4.4 - Medium
- October 18, 2022
Vulnerability in the MySQL Server product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which
CVE-2022-38791
5.5 - Medium
- August 27, 2022
In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock.
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault
CVE-2022-32088
7.5 - High
- July 01, 2022
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort.
MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault
CVE-2022-32086
7.5 - High
- July 01, 2022
MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault via the component Item_field::fix_outer_field.
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault
CVE-2022-32084
7.5 - High
- July 01, 2022
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.
MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault
CVE-2022-32089
7.5 - High
- July 01, 2022
MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level.
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault
CVE-2022-32085
7.5 - High
- July 01, 2022
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.
MariaDB v10.2 to v10.6.1 was discovered to contain a segmentation fault
CVE-2022-32083
7.5 - High
- July 01, 2022
MariaDB v10.2 to v10.6.1 was discovered to contain a segmentation fault via the component Item_subselect::init_expr_cache_tracker.
MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.
CVE-2022-32091
7.5 - High
- July 01, 2022
MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.
Dangling pointer
MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc.
CVE-2022-32082
7.5 - High
- July 01, 2022
MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc.
assertion failure
MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.
CVE-2022-32081
7.5 - High
- July 01, 2022
MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.
Dangling pointer
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault
CVE-2022-32087
7.5 - High
- July 01, 2022
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args.
MariaDB Server before 10.7 is vulnerable to Denial of Service
CVE-2022-31621
5.5 - Medium
- May 25, 2022
MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_xbstream.cc, when an error occurs (stream_ctxt->dest_file == NULL) while executing the method xbstream_open, the held lock is not released correctly, which allows local users to trigger a denial of service due to the deadlock.
Improper Locking
MariaDB Server before 10.7 is vulnerable to Denial of Service
CVE-2022-31623
5.5 - Medium
- May 25, 2022
MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when an error occurs (i.e., going to the err label) while executing the method create_worker_threads, the held lock thd->ctrl_mutex is not released correctly, which allows local users to trigger a denial of service due to the deadlock.
Improper Locking
MariaDB Server before 10.7 is vulnerable to Denial of Service
CVE-2022-31622
5.5 - Medium
- May 25, 2022
MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when an error occurs (pthread_create returns a nonzero value) while executing the method create_worker_threads, the held lock is not released correctly, which allows local users to trigger a denial of service due to the deadlock.
Improper Resource Shutdown or Release
MariaDB Server before 10.7 is vulnerable to Denial of Service
CVE-2022-31624
5.5 - Medium
- May 25, 2022
MariaDB Server before 10.7 is vulnerable to Denial of Service. While executing the plugin/server_audit/server_audit.c method log_statement_ex, the held lock lock_bigbuffer is not released correctly, which allows local users to trigger a denial of service due to the deadlock.
Improper Resource Shutdown or Release
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS)
CVE-2022-21427
4.9 - Medium
- April 19, 2022
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB)
CVE-2022-21451
4.4 - Medium
- April 19, 2022
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c.
CVE-2022-27457
7.5 - High
- April 14, 2022
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c.
Dangling pointer